Privacy · sub-processors
Every third party we share data with
Updated whenever we add or remove a vendor. Notification cadence: 30 days before adding a new core-tier processor; immediate for breach-replacement.
Tier 1 · Core
Required to operate the service. Cannot be opted out of.
9 vendors
| Provider | Purpose | Data shared | Region | |
|---|---|---|---|---|
| Amazon Web Services | Compute, storage, DB (IN/EU/US regions) | all user data | IN: ap-south-1 · EU: eu-central-1 · US: us-east-1 | DPA → |
| Cloudflare | CDN + DDoS + Pages hosting for the marketing site | request metadata, IP, UA | global edge | DPA → |
| Stripe | Payments (US / EU / UK / SG / AU) | name, email, billing, payment method | US-shipped, regional banks | DPA → |
| Razorpay | Payments (India) | name, email, billing, payment method | India (Mumbai) | DPA → |
| Firebase Cloud Messaging | Push notifications (Android) | device push token, segment | US | DPA → |
| Apple Push Notification | Push notifications (iOS / macOS) | device push token, alert payload | Apple infra (global) | DPA → |
| Twilio | SMS OTP (non-India) | phone number, OTP code | global gateways | DPA → |
| MSG91 | SMS OTP (India) | phone number, OTP code | India | DPA → |
| Postmark | Transactional email (OTP, receipts, weekly reports) | email address, message body | US | DPA → |
Tier 2 · Optional
Used only with your explicit opt-in or for specific gated features.
5 vendors
| Provider | Purpose | Data shared | Region | |
|---|---|---|---|---|
| OpenAI | AI coach LLM (AIPI-10) — only for users with AI opt-in | redacted prompt + your aggregated stats; no email / name / device IDs | US (data not used for training) | DPA → |
| ElevenLabs | TTS for study-notes voice-over (LOC-07) | note text, voice style preference | US | DPA → |
| Stripe Identity | Identity verification for paid tournaments | ID document, selfie (retained 30d) | US | DPA → |
| Sentry | Crash reports (no PII) | stack trace, app version, OS — PII auto-scrubbed | EU | DPA → |
| Datadog | Server-side metrics (no PII) | aggregated metrics + structured logs | EU | DPA → |
Tier 3 · Regional
Used only in specific markets. Listed for transparency.
3 vendors
| Provider | Purpose | Data shared | Region | |
|---|---|---|---|---|
| Razorpay Route | Mentor payouts (India) | mentor PAN, bank IFSC, account | India | DPA → |
| Stripe Connect | Mentor payouts (non-India) | mentor tax ID, bank | US / regional banks | DPA → |
| Payoneer | Mentor payouts (markets Stripe/Razorpay don't reach) | mentor tax ID, bank | US / global | DPA → |
Our processor-selection bar
- Signed DPA + standard contractual clauses where data crosses borders
- SOC 2 Type II report (we read them, not just check the box)
- Encryption-in-transit and at-rest required
- Sub-processor must publish their own sub-processor list
- 30-day notice on any breach affecting our data
Spotted something? Email dpo@prep.app — DPO responds within 24 business hours.